Deleted User Account Is Trying to Log Into A Linux Server
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ron didn't leave behind any documentation on servers, programs or scripts. So I'm discovering stuff everyday as I clean up behind Ron. Once I've started the position I locked Ron's account and then 60 days later deleted it. Like I said I'm upgrading from syslog to rsyslog when it showed up and I'm digging into it now.
Ow crap! I've been in exactly the same position, only that the one that left was called Peter. No documentation, scattered infra, passwords that are all over the place, leaky internet policy...
All resulted in over-time on weekends, cleaning after the sales team that consisted of juvenile punks that used the LAN as a playground...
(sorry for venting, but...I feel with you...good luck)
Melissa
Ow crap! I've been in exactly the same position, only that the one that left was called Peter. No documentation, scattered infra, passwords that are all over the place, leaky internet policy...
All resulted in over-time on weekends, cleaning after the sales team that consisted of juvenile punks that used the LAN as a playground...
(sorry for venting, but...I feel with you...good luck)
Melissa
I think we've all been there, if you've done this job for a while.
Honestly, it as been ***AWESOME*** experience as a Linux System Admin. I want to push it further in the right direction.
As a friend once said to me, "if everything was setup to run perfectly, you would never learn anything."
Sure there are times it terrible and where I shake my head. Late nights and weekends, reading stuff on the fly trying to fix stuff and I'm the only Linux admin on our IT staff so other then the Internet and this forum, I don't have a place to ask questions and look for mentoring.
However I said to myself when this position was offered to me is that here is finally my chance to put my tech career in the right direction.
Honestly, it as been ***AWESOME*** experience as a Linux System Admin. I want to push it further in the right direction.
As a friend once said to me, "if everything was setup to run perfectly, you would never learn anything."
Sure there are times it terrible and where I shake my head. Late nights and weekends, reading stuff on the fly trying to fix stuff and I'm the only Linux admin on our IT staff so other then the Internet and this forum, I don't have a place to ask questions and look for mentoring.
However I said to myself when this position was offered to me is that here is finally my chance to put my tech career in the right direction.
Indeed. And the best lesson you can take from Ron's efforts is what NOT to do. That is, you now have a clean slate...perfect time to implement a knowledgebase/wiki in your shop, and document EVERYTHING. Make it *BETTER* than it is, have it run smoother, and be able to go on vacation without your cell-phone ringing every ten minutes, because no one can figure anything out. That good work will follow you a LONG way, believe me.
Folks like Ron are a dime a dozen...my team and I are routinely called in to untangle crap like this all the time.
So, what have you learned about this 143.83.xxx.xxx IP?
Did you check it at http://www.tcpiputils.com/browse/ip-address/ to see who it's assigned to?
No Keys found? cron? I agree with TB0ne, it's likely something innocuous like a backup job/script/something.
You said you upgraded to rsyslog and discovered this. Are you collectively forwarding logs?
Why did you upgrade to rsyslog?
You said 'ron' hit you "from 2 servers"... same IP and/or in the same range?
These 2 servers, what is the common denominator between them?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.